This post has been updated to reflect that the regulations were approved by the CA Office of Administrative Law on September 23, 2025.
Continue Reading CPPA Adopts ADMT, Cybersecurity and Risk Assessment Regulations
New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers
The California privacy regulator recently settled with a data broker (Key Marketing Advantage LLC) that it alleged had violated the state’s data broker law. Under the Delete Act, data brokers must, among other things, register annually by January 31 and pay an annual fee. According to the agency, the company failed to register or pay the fee. The broker agreed to pay $55,800 as part of the settlement.
Continue Reading New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers
The CPPA Signals Focus on Data Minimization and Consumer Requests
Earlier this month, the California Privacy Protection Agency (CPPA) issued its first-ever enforcement advisory (No. 2024-01). The advisory addresses what it calls the “foundational principle” of data minimization, and more specifically, as applied to the processing of consumer requests.
Continue Reading The CPPA Signals Focus on Data Minimization and Consumer Requests
What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).
Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force
The Consortium of Privacy Regulators is growing. Meanwhile, CalPrivacy has announced a new program, a data broker “strike force.”
Continue Reading State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force
California Continues to Expand Data Broker Requirements
Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.
Continue Reading California Continues to Expand Data Broker Requirements
California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules
California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.
Continue Reading California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules
New Era of Collaboration? States Team Up to Coordinate on Privacy Laws
The California Privacy Protection Agency announced this month that it, along with six other states, will be forming a new group called the “Consortium of Privacy Regulators.” (The other states are Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.) Members include the Attorneys General from these states, as well as California’s privacy regulator (the CPPA).
Continue Reading New Era of Collaboration? States Team Up to Coordinate on Privacy Laws
California’s Privacy Regulator Had a Busy November, Data Broker Edition: What Does It Mean for Businesses?
In the fifth in our series of California developments, we turn to data broker obligations. There are two of note. First, the California privacy agency is moving forward Delete Act regulations it proposed earlier this year. (Its board voted to move regulations addressing data broker requirements to the Office of Administrative Law for review and approval last month.) Second, it announced an investigative sweep of compliance with the Act.
Continue Reading California’s Privacy Regulator Had a Busy November, Data Broker Edition: What Does It Mean for Businesses?
California’s Privacy Regulator Had a Busy November, Cybersecurity Audits and Insurance Edition: What Does It Mean for Businesses?
In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.
Continue Reading California’s Privacy Regulator Had a Busy November, Cybersecurity Audits and Insurance Edition: What Does It Mean for Businesses?